FIGS. 1A and 1B show a classic data center network aggregation as is currently well known. FIG. 1A shows a diagrammatical view of a typical network data center architecture 100 wherein top level switches 101a-n are at the tops of racks 102a-n filled with blade servers 107a-n interspersed with local routers 103a-f. Additional storage routers and core switches. 105a-b and additional rack units 108a-n contain additional servers 104 e-k and routers 106a-g FIG. 1b shows an exemplary physical view 110 of a system with peripheral servers 111a-bn arranged around edge router systems 112a-h, which are placed around centrally located core switching systems 113. Typically such an aggregation 110 has 1-Gb Ethernet from the rack servers to their top of rack switches, and often 10 Gb Ethernet ports to the edge and core routers. These typical data centers do not have good security.
The idea of network security is well known. The terms used in field of network security may include deep packet inspection (DPI) and intrusion prevention systems (IPS) which are also known as Intrusion Detection and Prevention Systems (IDPS) and are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. The network security may also utilize an intrusion detection system (IDS), which is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
FIG. 2 shows a typical implementation of an IDS and IPS within a corporate network. In the typical implementation, the IDS is focused on detection, monitoring, and reporting of potential intrusions. As such, the IDS is implemented out-of-line of the core network flow and is not invasive (located outside of the firewall and attached to a DMZ switch as shown in FIG. 2). The IPS adds the capability to prevent and block potential intrusion or undesired network flows and the IPS is implemented in-line of the core network flow.
Typical systems of a chip (SoCs) have security features, such as security zones. For example, ARM® processors and IP implement TrustZone as one layer of hardware, software, and system security. Further details of the TrustZone aspect of ARM® processors and IP can be found at http://www.arm.com/products/processors/technologies/trustzone.php and the materials located there are incorporated herein by reference. The security of the system is achieved by partitioning all of the SoC's hardware and software resources so that they exist in one of two worlds—the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI bus fabric ensures that no Secure world resources can be accessed by the Normal world components, enabling a strong security perimeter to be built between the two.
The second aspect of the TrustZone hardware architecture is the extensions that have been implemented in some of the ARM® processor cores. These extensions enable a single physical processor core to safely and efficiently execute code from both the Normal world and the Secure world in a time-sliced fashion. This removes the need for a dedicated security processor core, which saves silicon area and power, and allows high performance security software to run alongside the Normal world operating environment. However, these SOC security features have not been effectively extended to the security of a data center.
Thus, it is desirable to provide a data center security system and method that leverage server systems on a chip (SOCs) and/or server fabrics, and it is to this end that the disclosure is directed.